{"id":25191425,"url":"https://github.com/trainline/webpack-bundle-delta","last_synced_at":"2026-03-11T10:03:18.738Z","repository":{"id":39725670,"uuid":"306561289","full_name":"trainline/webpack-bundle-delta","owner":"trainline","description":"Get insights into your webpack v4 bundles as early as possible.","archived":false,"fork":false,"pushed_at":"2023-07-19T00:22:12.000Z","size":3280,"stargazers_count":24,"open_issues_count":22,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-10-03T13:24:10.669Z","etag":null,"topics":["ci","stats","webpack"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trainline.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-23T07:30:31.000Z","updated_at":"2025-06-09T12:01:12.000Z","dependencies_parsed_at":"2025-05-07T21:06:13.153Z","dependency_job_id":"5e3bdfc8-1d08-4bed-98df-1c6b63650099","html_url":"https://github.com/trainline/webpack-bundle-delta","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/trainline/webpack-bundle-delta","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trainline%2Fwebpack-bundle-delta","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trainline%2Fwebpack-bundle-delta/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trainline%2Fwebpack-bundle-delta/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trainline%2Fwebpack-bundle-delta/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trainline","download_url":"https://codeload.github.com/trainline/webpack-bundle-delta/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trainline%2Fwebpack-bundle-delta/sbom","scorecard":{"id":896723,"data":{"date":"2025-08-11","repo":{"name":"github.com/trainline/webpack-bundle-delta","commit":"96b96b3bc9234aaf5de190a306d5b61a7d850e3b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/node.js.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":3,"reason":"Found 5/13 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/trainline/webpack-bundle-delta/node.js.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/trainline/webpack-bundle-delta/node.js.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 23 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"80 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x","Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw","Warn: Project is vulnerable to: GHSA-w8qv-6jwh-64r5","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c","Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq","Warn: Project is vulnerable to: GHSA-434g-2637-qmqr","Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m","Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw","Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p","Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747","Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh","Warn: Project is vulnerable to: GHSA-8gh8-hqwg-xf34","Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q","Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6","Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j","Warn: Project is vulnerable to: GHSA-896r-f27r-55mw","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q","Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33","Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959","Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6","Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq","Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488","Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw","Warn: Project is vulnerable to: GHSA-7wpw-2hjm-89gp","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g","Warn: Project is vulnerable to: GHSA-px4h-xg32-q955","Warn: Project is vulnerable to: GHSA-8g77-54rh-46hx","Warn: Project is vulnerable to: GHSA-q674-xm3x-2926","Warn: Project is vulnerable to: GHSA-3j8f-xvm3-ffx4","Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653","Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj","Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67","Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w","Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2","Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6","Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59","Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx","Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch","Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6","Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj","Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-jgrx-mgxx-jf9v","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v","Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7","Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T13:59:21.894Z","repository_id":39725670,"created_at":"2025-08-24T13:59:21.894Z","updated_at":"2025-08-24T13:59:21.894Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30377837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-11T06:09:32.197Z","status":"ssl_error","status_checked_at":"2026-03-11T06:09:17.086Z","response_time":84,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","stats","webpack"],"created_at":"2025-02-09T22:21:50.467Z","updated_at":"2026-03-11T10:03:18.718Z","avatar_url":"https://github.com/trainline.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# webpack-bundle-delta\n\n[![npm](https://badgen.net/npm/v/@trainline/webpack-bundle-delta)](https://www.npmjs.com/package/@trainline/webpack-bundle-delta) ![typings included](https://badgen.net/npm/types/@trainline/webpack-bundle-delta) [![Nodejs Workflow](https://github.com/trainline/webpack-bundle-delta/workflows/Node.js%20CI/badge.svg)](https://github.com/trainline/webpack-bundle-delta/actions?query=workflow%3A%22Node.js+CI%22)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./docs/images/logo.png\" alt=\"Webpack Bundle Delta Logo\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  Get insights into your \u003cstrong\u003ewebpack \u003cem\u003e(v4 or v5)\u003c/em\u003e\u003c/strong\u003e bundles as early as possible.\n\u003c/p\u003e\n\nFeatures:\n- See [webpack chunk](https://webpack.js.org/guides/code-splitting/) deltas (size, gzip size, and brotli size)\n- Computes the delta for pull requests between [base and head](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/changing-the-base-branch-of-a-pull-request)\n- Surface the relevant information to pull requests via [dangerjs](https://danger.systems/js/)\n- Plugin system allows extending with more features as we improve our knowledge on how to better optimise our bundles\n\nWhy?\n- Performance is crucial to any website\n- Understanding the changes that occur in applications as early as possible ensures that any unforeseen changes don't make it to production\n- Automates steps that the performance team manually were doing earlier\n\n**Check out the [docs folder](docs) for more details, including [architecture design](docs/architecture.md).**\n\n*Note: this tool is still in its infancy and we welcome [contributions](CONTRIBUTING.md) to make it better.*\n\n## Usage\n\n1. [Gather webpack bundle stats](./docs/gather-webpack-stats.md)\n2. [Produce compressed output of your files](./docs/compression-output.md)\n3. Install via `yarn` or `npm`\n    ``` console\n    yarn add @trainline/webpack-bundle-delta --dev\n    # or\n    npm i -D @trainline/webpack-bundle-delta\n    ```\n4. [Optionally] [configure](./src/config/README.md) `webpack-bundle-delta` to your needs\n5. Follow either the `cli` or `dangerjs` setup below\n6. Enjoy the stats!\n\n### CLI\n\nCLI can be used if you wish to simply see the results as part of your build.\n\nAs an example, to compare 2 compilation stats JSON files, you could do the following\n\n``` bash\n$ webpack-bundle-delta local ./path-to/base-stats.json ./path-to/head-stats.json\n```\n\nWhich would result in a similar output to the below\n```\n# Webpack Bundle Delta\n\n3 files changed significantly, 144 files had little to no change\n\n## Size changes\n\n### Significant changes\n\n| File                       |            Size             |         Gzip size          |        Brotli size         |\n| :------------------------- | :-------------------------: | :------------------------: | :------------------------: |\n| vendors~tocInformation.mjs | 30.28KB (+7.39KB / +32.31%) | 9.34KB (+2.03KB / +27.81%) | 8.06KB (+1.73KB / +27.25%) |\n| vendors~tocInformation.js  | 32.19KB (+7.68KB / +31.36%) | 9.75KB (+2.09KB / +27.34%) | 8.43KB (+1.78KB / +26.69%) |\n| trainTimesPageV2.css       | 237.71KB (+2.42KB / +1.03%) |  37.46KB (+398B / +1.05%)  |  30.81KB (+353B / +1.13%)  |\n\n### Minor changes\n\n| File                 |           Size            |        Gzip size         |       Brotli size        |\n| :------------------- | :-----------------------: | :----------------------: | :----------------------: |\n| trainTimesPageV2.mjs | 565.71KB (+347B / +0.06%) | 150.4KB (-431B / -0.28%) | 118.66KB (+69B / +0.06%) |\n| trainTimesPageV2.js  | 623.43KB (+370B / +0.06%) | 162.1KB (-22B / -0.01%)  | 124.97KB (+10B / +0.01%) |\n| intl.js              |            80B            |            -             |            -             |\n| intl.mjs             |            80B            |            -             |            -             |\n| locale-data-fr.js    |          11.08KB          |          1.8KB           |          1.54KB          |\n| locale-data-fr.mjs   |          10.71KB          |          1.61KB          |          1.38KB          |\n\n\u003ctruncated as the table gets quite long\u003e\n\n## Trace changes\n\ntrainTimesPageV2.js\n\n- ./src/private/common/pages/train-times-v2/index.jsx: 2.06KB (641B / 43.58%)\n- ./src/private/common/pages/train-times-v2/TrainTimesPage.jsx + 20 modules: 24.58KB (346B / 1.39%)\n\nvendors~tocInformation.js\n\n- @fleet-components/app-banner/module/index.js + 3 modules: 16.67KB (ADDED, +3 modules)\n- @fleet-components/app-banner/module/translations/en.json: 2B (ADDED)\n\ntrainTimesPageV2.mjs\n\n- ./src/private/common/pages/train-times-v2/index.jsx: 1.71KB (567B / 47.73%)\n- ./src/private/common/pages/train-times-v2/TrainTimesPage.jsx + 20 modules: 21.17KB (322B / 1.51%)\n\nvendors~tocInformation.mjs\n\n- @fleet-components/app-banner/module/index.js + 3 modules: 15.27KB (ADDED, +3 modules)\n- @fleet-components/app-banner/module/translations/en.json: 2B (ADDED)\n\n\n## Duplication detection\n\nNo duplicate dependencies introduced\n\n\n## Resolve Alias Remap\n\nYour build is all good! (no suggestions available)\nDone in 2.83s.\n```\n\nUse `webpack-bundle-delta -h` to see what options are available:\n- `base` and `head` sha need to be manually specified if the data sources require it\n\n### Danger JS file (Pull request integration)\n\nWhilst being able to see the output in build log files is great, surfacing the information up to pull requests makes it clear for developers and reviews as to the impact of their changes.\n\n[Danger js](https://danger.systems/js/) is a great tool for helping consumers (and plugins) add information to pull requests (and provides a lot of flexibility such as ability to use it with other code repositories other than GitHub).\n\nGiven that, if you have not set up Danger, that would be the first step. Once you've done that, in your `dangerfile.js` import the danger setup, and an appropriate data source.\n\n``` javascript\nimport { danger, TeamCityDataSource } from 'webpack-bundle-delta';\n\n// ... other danger rules\n\ndelta({\n  dataSource: new TeamCityDataSource({\n    // data source options\n  }),\n  baseSha: danger.github.pr.base.sha,\n  headSha: danger.github.pr.head.sha,\n});\n```\n\nWhich would result in a PR comment\n![Danger post on PR comment with Webpack Bundle Delta Output](docs/images/pr-comment-collapsed.png)\n\nAnd when expanded\n\n![Danger post on PR comment with Webpack Bundle Delta Output expanded](docs/images/pr-comment-expanded.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrainline%2Fwebpack-bundle-delta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrainline%2Fwebpack-bundle-delta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrainline%2Fwebpack-bundle-delta/lists"}